Code Projects Scholars Tracking System

Unrestricted File Upload RCE in Scholars Tracking System 1.0
CVE-2025-70151 - February 18, 2026

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.

SQL Injection via post_content in Code Projects Scholars Tracking System 1.0
CVE-2025-14951 7.3 - High - December 19, 2025

A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

SQL Injection

SQLi via ID param in Scholars Tracking Sys 1.0 delete_post.php
CVE-2025-14950 7.3 - High - December 19, 2025

A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

SQL Injection

SQLi via /admin/delete_user.php in Scholars Tracking System 1.0
CVE-2025-14940 7.3 - High - December 19, 2025

A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

SQL Injection

SQLi in Code-projects Scholars Tracking System 1.0 Eligibility Update
CVE-2024-24101 9.8 - Critical - March 12, 2024

Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Eligibility Information Update.

SQL Injection

Code-projects Scholars Tracking System 1.0 XSS in News Feed (CVE-2024-24097)
CVE-2024-24097 - March 12, 2024

Cross Site Scripting (XSS) vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via the News Feed.

Code-projects Scholars Tracking System 1.0 Vulnerable to SQLi Personal Info Update
CVE-2024-24093 - March 12, 2024

SQL Injection vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via Personal Information Update information.

SQLi in Code-projects.org Scholars Tracking System 1.0 via login.php
CVE-2024-24092 - March 12, 2024

SQL Injection vulnerability in Code-projects.org Scholars Tracking System 1.0 allows attackers to run arbitrary code via login.php.

SQLi in Code-projects Scholars Tracking System 1.0 News Feed
CVE-2024-24098 7.8 - High - March 05, 2024

Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed.

SQL Injection

Code-projects Scholars Tracking System 1.0 SQLi in Employment Status Update
CVE-2024-24099 - February 27, 2024

Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Employment Status Information Update.